Lost to the Highest Bidder: The Economics of Cybersecurity Staffing – Source: securityboulevard.com

For about a decade, much has been written about the scarcity of qualified cybersecurity talent. There’s no lack of available articles and tradeshow sessions offering tips for trying to attract and retain cybersecurity staff.

Yet what is often missed in these discussions is the true crux of the problem. When it comes to cybersecurity talent, supply and demand economics are amplified far beyond what is experienced in other fields due to the greater scarcity of talent and macroeconomic pressures. It isn’t just a problem of attracting talent and holding onto them with competitive salaries and solid recognition programs. Once HR has finally landed that ideal candidate, the bidding war continues — skilled employees are continually enticed by recruiters with dizzying salaries, signing bonuses and creative perks. In an inflationary economy with housing, energy and food costs escalating, many employees succumb to the temptation regardless of why they chose the company in question.

In short, the cybersecurity staffing issue doesn’t just result in open positions that can be filled with the right candidate. It results in an ongoing cycle of short-tenured, often never-fully-trained staff continually picked off by the highest bidders. For most, the result of this security revolving door is inadequately trained staff — whether seats are filled or not.

The High Financial and Security Costs of Short Tenures

Every organization has its unique infrastructure — a blend of software, hardware, software-as-a-service, security products, etc. Tech stacks are becoming increasingly complex, and with remote workers, BYOD, the complexity of cloud solutions and aggressively evolving threat actor tactics, training is both essential, lengthy and often ongoing. No matter what a security engineer’s training was before joining the organization, there is a long ramp to becoming adept in the specific environment and the processes, procedures, people and protocols of the business. In the current staffing economy, cybersecurity staff often leave before ever getting fully trained or before becoming experientially experts on the company’s needs. Many companies attempt to solve the issue by greatly increasing the salary cap of the position (often beyond what is comfortably scoped for the role) and rehiring, only to lose the replacement again before training is completed.

The lack of staffing continuity means some companies rarely have a full complement of trained cybersecurity staff, leaving them at risk of cyberattack. The costs of repeated training/onboarding are also difficult to support, particularly without reaping the benefits of the effort.

How Can You Retain Staff if it’s All About the Money?

While it’s true that supply-and-demand economics is a major influencer in staff movements, it isn’t the only motivator. There are things you can do to retain staff as well as alternatives to staffing in-house.

Retaining In-House Staff

It is important to begin by offering a competitive salary and total rewards package — because your competition most certainly will. But as discussed, there will always be a higher bidder trying to pick off your talent. To offset those external pressures, it’s important to offer such a compelling work environment that your team chooses to remain. Accomplishing this goes to the heart of understanding the types of people who choose cybersecurity as a field.

Most cybersecurity engineers and consultants want to be challenged and push the boundaries of technology. It’s essential to provide them with a diverse, challenging work experience: Offer them opportunities to take a tool apart, analyze it and create something different. Let them learn new functions, operating environments and skills and be exposed to new challenges frequently. An important key is to keep the job interesting and provide a lot of freedom to push the bounds of what is possible. Roles that expect security staff to do the same routine tasks day in and day out are unlikely to be compelling.

Also, while many companies talk about having a “family” or “team” environment, this must go beyond lip service. Some of the best, most cohesive cybersecurity teams remain intact because they have truly established a strong camaraderie among their staff. Cybersecurity can involve long hours, shift work, etc., and by creating an environment of trust and partnering and allowing them to control (to some extent) how that is structured, they will develop patterns that work for them and bonds among them. They should feel they are in the trenches together because, ultimately, they are. Bonded teams are much more likely to wish to remain.

Managed Security Services (MSS) Providers

Many companies have turned to MSSPs to assist with security functions to address the lack of retention and to obtain a continual bench of expertise in this critical area. By leaning on a third party that is always fully staffed, companies can avoid wasting effort and money on the rinse-and-repeat cycle of hiring, training and losing staff.

Cybersecurity Staffing is a Must, so Work to Solve the Problem

Today, cybersecurity is more critical than ever as threats are evolving to a high degree of sophistication. It’s important not to throw in the towel — keep working on the right mix of environmental, monetary and experiential factors to retain talent over the long term, or look into MSSP offerings to ensure you remain fully armed against ongoing threats.